U.S. is losing ground on IT security, witnesses tell Hill

U.S. is losing ground on IT security, witnesses tell Hill

Security panel decries focus on minor threats, such as Web site hacking, and the lack of action despite frequent studies

BY WILLIAM JACKSON | GCN STAFF

Cybersecurity is slipping, a panel of experts last month told lawmakers at a hearing of the Joint Economic Committee.

The biggest threat is cyberwarfare sponsored by foreign governments, said Lawrence K. Gershwin, the national intelligence officer for science and technology for the CIA's National Intelligence Council. Only nations have enough backing for 'the future prospect of causing widespread, long-duration damage to critical U.S. infrastructures,' he said.

Big issues missed

The joint committee's ranking Senate Republican, Sen. Robert F. Bennett of Utah, said observers have missed the forest for the trees.

'The complex issues of cybersecurity and infrastructure protection are overshadowed by the attention paid to hacking exploits and Web site defacements,' he said.

Robert F. Bennett
'The complex issues of cybersecurity and infrastructure protection are overshadowed by the attention paid to hacking exploits and Web site defacements,' Sen. Robert F. Bennett says.
Panelists urged the government to put some teeth into federal security oversight. Frank J. Cilluffo, of the Center for Strategic and International Studies' Homeland Defense Project, recommended creating a presidential assistant position for critical infrastructure protection as well as a centralized federal intrusion detection center.

The CIA's Gershwin said solo hackers, organized crime and terrorists pose only limited long-term threats. The landscape is changing too quickly for lone wolves and free-lancers to acquire the necessary expertise, he said.

'For the next five to 10 years, only nation-states appear to have the discipline, commitment and resources to attack critical infrastructures,' he said.

Duane P. Andrews, executive vice president of Science Applications International Corp. of San Diego, testified that little has changed since he served on the Joint Security Commission established by the Defense Department and the CIA in 1994. The commission found insufficient attention being paid then to information security risks, Andrews said.

Since that time, he said, 'the rate of progress has been slower than the growth of the potential threat, and overall we have lost ground. For a decade, we have had study after study and report after report. So the question is, why haven't we taken the necessary steps to address the cyberthreat?'

Andrews charged that there is no serious government oversight. The National Infrastructure Protection Center in the Justice Department focuses on law enforcement rather than national security.

The NIPC's work should be turned over to the Defense Department and dealt with as a military problem, he said.

All talk, no action

Cilluffo cited the 1998 Presidential Decision Directive 63, which spawned NIPC, the National Infrastructure Assurance Council and the Critical Infrastructure Assurance Office.

'Unfortunately, the directive has proved to be long on nouns and short on verbs,' he said. 'The time has come for implementation and execution.'

A presidential assistant, approved by Congress and empowered with real authority could 'streamline and replace the myriad structures that currently exist,' Cilluffo said.

He said an executive order from President Bush, titled 'Security in the Information Age,' is nearly finished and is being circulated for comment.

inside gcn

  • A forward-located Control and Reporting Center. Air Force photo.

    Data security at the tactical edge: Rightsizing solutions

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group